Federal government cracking down on education technology company due to improper security measures, millions of users affected

More than 40 million users personal information was exposed according to the FTC
The Federal Trade Commission says Chegg fell victim to multiple phishing attacks and security breaches dating back to 2017 due to lax security measures.
Published: Nov. 2, 2022 at 7:28 PM EDT

CHARLOTTE, N.C. (WBTV) - The Federal Trade Commission is handing down strong orders to a popular educational technology company used by millions of high school and college students.

Earlier this week, the FTC filed a complaint against the company, Chegg Inc. for its careless security measures that exposed millions of users’ personal information including passwords, gender, sexual orientation, family income, and employees’ direct deposit information.

According to the complaint, Chegg allegedly failed to update and strengthen its security measures even though it experienced multiple breaches dating back to 2017.

“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “[This] order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”

The web-based company allows users to buy/rent and sell textbooks, get textbook homework help, use tutoring services, and use the website for scholarship searches.

Johnson C. Smith University student Tay-Keara Bristol has an account with Chegg and says she was disheartened to hear about the data breaches.

“It’s definitely worrisome because we use these sites just to get extra help in class and class is already hard enough as it is,” Bristol said. “Having to worry about your passwords and your information being leaked is very worrisome because you can do a lot with those passwords.”

According to the complaint document, a former contractor accessed one of the company’s third-party cloud databases in April 2018 using credentials that Chegg shared with current employees and outside contractors. The former contractor accessed the database which contained the personal information of more than 40 million users who were using the website’s scholarship search program.

This personal information included names, passwords, gender identity, sexual orientation, heritage, family income, and disabilities.

In addition, the FTC states Chegg was storing user information in plain text, without proper encryptions.

The complaint goes on to state that employees fell victim to phishing attacks in 2019 and 2020.

Data privacy is a top priority for Chegg. Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order. The incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago. No monetary fines were assessed,” a spokesperson from Chegg said in a statement.

UNC Charlotte student Stephen Beckett has used Chegg in the past for help with his homework, now he says he’s second-guessing using the website.

“A ton of my friends use it, I used it in the past, it’s scary knowing that your information is out for anybody to get and take that information,” Beckett said.

Related: UCPS parent shares concerns over student data vulnerabilities

According to the documents, the FTC claims up until 2021, Chegg did not have any written securities policies, standards, procedures, or practices. In addition, the Commission says Chegg did not provide proper data security training to its employees, did not have multi-factor authentication, and was storing users’ personal data after it was no longer needed.

WBTV spoke to Chris Furtick, the Director of Incident Response and Security Engineering for Fortalice Solutions, a cyber security company.

“It’s unfortunate that it took four data breaches for the FTC to act on this but hopefully moving forward it is a lesson to other companies to make sure that they are providing adequate controls for client data,” Furtick said.

Furtick says users can take two steps to protect themselves moving forward, which are to have unique passwords and do a credit freeze if their financial information is exposed.

“Make sure that you have a unique password there so if and when a breach occurs on one of those services, you’re not exposing yourself to all your other accounts,” Furtick said. “The next thing to do is have a credit freeze put in place, you can do that through any of the major credit bureaus, and that will ensure that no accounts can be opened in your name based on information that was stolen from one of these service providers.”

The FTC is ordering Chegg to do the following:

  • Detail and Limit Data Collection: Chegg must document and follow a schedule that sets out what personal information the company collects, why it collects the information, and when it will delete the information.
  • Provide Consumer Access to Data: Chegg must provide its customers access to data collected about them and allow them to request that the company delete that data.
  • Implement Multifactor Authentication: Chegg must provide multifactor authentication or another authentication method to its customers and employees to help protect their accounts.
  • Implement Security Program: Chegg must implement a comprehensive information security program that addresses the flaws in the company’s data security practices including encrypting consumer data and providing security training to its employees.

JCSU student Kobe Livingstone tells WBTV he’s also hesitant to continue using Chegg knowing the history of the company’s security issues.

“I hope things get better. I hope they take better precautions toward their use, but until then I don’t think I can see myself using something like that again,” Livingstone said.

Chegg released a statement to WBTV stating it is working to improve its security measures.

“We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program. Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts. The majority of the security requirements are already a part of our operations. Any additional requirements will be in place according to the timelines outlined in our agreement with the FTC,” a spokesperson from Chegg said in a statement.